Deploying Secure Applications 6-15

6.5.2.2 Migrating Credentials Manually

The script migrateSecurityStore recreates GUIDs and may take a long time to migrate large volume of credentials; for these reasons, during the transition from a test to a production environment, you may want to consider migrating policies and credentials with an alternate procedure that uses Oracle Internet Directory bulk operations. For details, see Migrating Large Volume Policy and Credential Stores . Migrating credentials manually with migrateSecurityStore requires assembling a configuration file where the source and destination are specified. Since migrateSecurityStore recreates GUIDs and takes a long time to migrate large volume of data, you may want to consider migrating stores with an alternate procedure that uses Oracle Internet Directory bulk operations. For details, see Migrating Large Volume Policy and Credential Stores . Here is a complete sample of a configuration file, named t2p-credentials.xml, illustrating the specification of credential sources in LDAP, DB, and XML storages, and of credential destinations in LDAP or DB storages: ?xml version=1.0 encoding=UTF-8 standalone=yes? jpsConfig xmlns=http:xmlns.oracle.comoracleasschema11jps-config-11_1.xsd xmlns:xsi=http:www.w3.org2001XMLSchema-instance xsi:schemaLocation=http:xmlns.oracle.comoracleasschema11jps-config-11_ 1.xsd schema-major-version=11 schema-minor-version=1 serviceProviders serviceProvider class=oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider name=credstoressp type=CREDENTIAL_STORE descriptionFile-based credential providerdescription serviceProvider serviceProvider class=oracle.security.jps.internal.credstore.ldap.LdapCredentialStoreProvider name=ldap.credentialstore.provider type=CREDENTIAL_STORE descriptionLDAP-based credential providerdescription serviceProvider serviceProvider class=oracle.security.jps.internal.credstore.rdbms.DbmsCredentialStoreProvider name=db.credentialstore.provider type=CREDENTIAL_STORE descriptionDB-based credential providerdescription serviceProvider serviceProviders serviceInstances -- Source file-based credential store instance -- serviceInstance location=myFileBasedCredStoreLocation provider=credstoressp name=credential.file.source descriptionReplace location with the full path of the folder where the file-based source credential store cwallet.sso is located in the source file system; typically located in sourceDomainconfigfmwconfig description serviceInstance -- Source LDAP-based credential store instance -- serviceInstance provider=ldap.credentialstore.provider name=credential.ldap.source descriptionReplace: A. mySourceDomain and mySourceRootName to appropriate 6-16 Oracle Fusion Middleware Application Security Guide values according to your source LDAP directory structure; B. ldap:mySourceHost.com:3060 with the URL and port number of your source LDAPdescription property value=bootstrap name=bootstrap.security.credential.key property value=cn=mySourceDomain name=oracle.security.jps.farm.name property value=cn=mySourceRootName name=oracle.security.jps.ldap.root.name property value=ldap:mySourceHost.com:3060 name=ldap.url serviceInstance -- Source DB-based credential store instance -- serviceInstance provider=db.credentialstore.provider name=credential.db.source descriptionReplace: A. mySourceDomain and mySourceRootName to appropriate values according to your source DB credential storedescription property value=cn=mySourceDomain name=oracle.security.jps.farm.name property value=cn=mySourceRootName name=oracle.security.jps.ldap.root.name property value=jdbc:oracle:thin:mySourceHost:1722:orcl name=jdbc.url -- the value of jdbc.url should be the value entered when the source datasource was set up -- property value=oracle.jdbc.driver.OracleDriver name=jdbc.driver property name=bootstrap.security.principal.key value=mySourceKeyName property name=bootstrap.security.principal.map value=mySourceMapName -- the values of bootstrap.security.principal.key and bootstratp.security.principal.map should be the values entered when the bootstrap credential was set up -- serviceInstance -- Destination LDAP-based credential store instance -- serviceInstance provider=ldap.credentialstore.provider name=credential.ldap.destination descriptionReplace: A. myDestDomain and myDestRootName to appropriate values according to your destination LDAP directory structure; B. ldap:myDestHost.com:3060 with the URL and port number of your destination LDAPdescription property value=bootstrap name=bootstrap.security.credential.key property value=cn=myDestDomain name=oracle.security.jps.farm.name property value=cn=myDestRootName name=oracle.security.jps.ldap.root.name property value=ldap:myDestHost.com:3060 name=ldap.url serviceInstance -- Destination DB-based credential store instance -- serviceInstance provider=db.credentialstore.provider name=credential.db.destination descriptionReplace: myDestDomain and myDestRootName to appropriate values according to your destination DB credential storedescription property value=cn=myDestDomain name=oracle.security.jps.farm.name property value=cn=myDestRootName name=oracle.security.jps.ldap.root.name property value=jdbc:oracle:thin:myDestHost.com:1722:orcl name=jdbc.url -- the value of jdbc.url should be the value entered when the destination datasource was set up -- property value=oracle.jdbc.driver.OracleDriver name=jdbc.driver property name=bootstrap.security.principal.key value=myDestKeyName property name=bootstrap.security.principal.map value=myDestMapName -- the values of bootstrap.security.principal.key and bootstratp.security.principal.map should be the values entered when the bootstrap credential was set up -- serviceInstance -- Bootstrap credentials to access source and destination LDAPs and DBs -- Deploying Secure Applications 6-17 serviceInstance location=.bootstrap provider=credstoressp name=bootstrap.cred descriptionReplace location with the full path of the directory where the bootstrap file cwallet.sso is located; typically found in destinationDomain configfmwconfigdescription serviceInstance serviceInstances jpsContexts jpsContext name=FileSourceContext serviceInstanceRef ref=credential.file.source jpsContext jpsContext name=LDAPsourceContext serviceInstanceRef ref=credential.ldap.source jpsContext jpsContext name=DBsourceContext serviceInstanceRef ref=credential.db.source jpsContext jpsContext name=LDAPdestinationContext serviceInstanceRef ref=credential.ldap.destination jpsContext jpsContext name=DBdestinationContext serviceInstanceRef ref=credential.db.destination jpsContext -- Do not change the name of the next context -- jpsContext name=bootstrap_credstore_context serviceInstanceRef ref=bootstrap.cred jpsContext jpsContexts jpsConfig Note that since the migration involves LDAP andor DB stores, the file includes a jps-context named bootstrap_credstore_context that specifies the directory where the bootstrap credential file cwallet.sso is located. The following examples of use of migrateSecurityStore assume that the file t2p-credentials.xml is located on the target system in the directory where the script is run. Under that assumption, to migrate credentials from a test or source LDAP store to a production or destination LDAP store, invoke migrateSecurityStore in the target system as follows: migrateSecurityStoretype=credStore,configFile=t2p-credentials.xml,src=LDAPs ourceContext,dst=LDAPdestinationContext To migrate credentials from a test or source XML store to a production or destination LDAP store, invoke migrateSecurityStore in the target system as follows: migrateSecurityStoretype=credStore,configFile=t2p-credentials.xml,src=FileS ourceContext,dst=LDAPdestinationContext To migrate credentials from a test or source DB store to a production or destination DB store, invoke migrateSecurityStore in the target system as follows: migrateSecurityStoretype=credStore,configFile=t2p-credentials.xml,src=DBSou 6-18 Oracle Fusion Middleware Application Security Guide rceContext,dst=DBdestinationContext

6.5.2.3 Migrating Large Volume Policy and Credential Stores

Migrating stores with the alternate procedure explained in this section is suitable to preserve source GUIDs or for large volume stores where migrating with the script migrateSecurityStore would take an unacceptable amount of time. For illustration purpose, assume that the policy store LDAP to be migrated is configured in the file jps-config.xml with a service instance as in the following fragment: serviceInstance provider=ldap.policystore.provider name=policystore.ldap property name=policystore.type value=OID property name=bootstrap.security.principal value=bootstrap property name=oracle.security.jps.farm.name value=cn=base_domain property name=oracle.security.jps.ldap.root.name value=cn=mySrcRootName property name=ldap.url value=ldap:myCompany.com:7766 serviceInstance To migrate a source Oracle Internet Directory store to a destination Oracle Internet Directory store using bulk commands, proceed as follows: 1. In the system where the source Oracle Internet Directory is located, produce an LDIF file by running ldifwrite as illustrated in the following line: ldifwrite connect=srcOidDbConnectStr baseDN=cn=jpsnode, c=us ldiffile=srcOid.ldif This command writes all entries under the node cn=jpsnode, c=us to the file srcOid.ldif. Once generated, move this file, as appropriate, to the destination Oracle Internet Directory file system so it is available to the commands that follow. 2. In the destination Oracle Internet Directory node, ensure that the JPS schema has been seeded. 3. In the destination Oracle Internet Directory system, verify that there are no schema errors or bad entries by running bulkload as illustrated in the following line: bulkload connect=dstOidDbConnectStr check=true generate=true restore=true file=fullPath2SrcOidLdif If duplicated DNs common entries between the source and destination directories are detected, review them to prevent unexpected results. 4. Backup the destination DB. If the next steps fails and corrupts the DB, the DB must be restored. Note: Large volume migration of stores is supported for LDAP-based stores only. It is not supported for DB-based stores. Important: If you intend to use the procedure that follows with a destination Oracle Internet Directory version 10.1.4.3.0, then you must first apply a patch for bug number 8417224. To download this patch for your platform, visit Oracle Support at http:myoraclesupport.oracle.com . Deploying Secure Applications 6-19 5. Load data into the destination Oracle Internet Directory, by running bulkload as illustrated in the following line: bulkload connect=dstOidDbConnectStr load=true file=fullPath2SrcOidLdif For details about the above commands, see chapter 14, Performing Bulk Operations, in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory.

6.5.3 Migrating Audit Policies

To migrate audit policies, use the export and import operations as explained next. First, export the audit configuration from a test environment to a file using one of the following tools: ■ Fusion Middleware Control: navigate to Domain Security Audit Policy, and then click Export. ■ The OPSS script exportAuditConfig. For details, see Appendix C.4.7, exportAuditConfig. Then, import that file into the production environment using one of the following tools: ■ Fusion Middleware Control: navigate to Domain Security Audit Policy, and then click Import. ■ The OPSS script importAuditConfig. For details, see Appendix C.4.8, importAuditConfig. The importexport operations above migrate audit policies only, and they do not migrate the audit data store settings. If you had configured an audit data source in your test environment, repeat the steps to configure a data source in the production environment. For details, see Section 12.2.2, Set Up Audit Data Sources. Normally, you would not want audit data records from a test environment to be migrated to production; however, to do so, use the database importexport utilities for that purpose. For details, see Section 12.5.5, Importing and Exporting Data.